The word “endpoint” will be used here to refer to an “endpoint computing system”, for example a computing systems such as a server, a desktop or laptop PC, a PDA or a Smartphone, or a set-top box. The words “endpoint host” or “host” hereafter refer to a primary processor-based computing system supported by any primary operating system. Conventionally, one endpoint often comprises only one host, and in such case, a host is an endpoint, such as a conventional desktop PC, typically having a main processor, possibly one or more coprocessors, and typically running an operating system. Additional subsystems such as various peripherals, network interface devices, modems, etc, with or without their own operating systems, are sometimes connected to such endpoint hosts for a variety of purposes.
Attacks on computer systems have advanced in variety and sophistication. Security functions work to protect endpoints and can generally be categorized into two groups: defense functions and immunization functions.
Defense Functions
The functions in this group are provided to computing systems for defending directly against known or unknown attacks. The functions can be implemented outside or inside an endpoint, or equivalently as network-based or host-based respectively. Various implementations of these functions are well known in the art. Brief descriptions of several defense functions are provided in the following.
Cryptography.
Cryptography is related to confidentiality (for example in using encryption, decryption for privacy), integrity (for example in using a hashing capability to prevent data from being modified during transit), and authenticity (for preventing identity spoofing, for example using digital certificates, and in general determining who is a valid user). Cryptography functions are often incorporated in IPSec (Internet Protocol Security) or SSL (Secure Socket Layer) for virtual private network (VPN) deployments, as is well known. In applications, confidentiality, integrity, and authenticity function procedures may also be used individually to meet specific needs.
Firewalls.
Firewalls are often deployed for example where access control is enforced. Generally, a “perimeter firewall” is deployed as either hardware and/or software at the perimeter of a private network, whereas an “endpoint firewall” is often deployed as software within an endpoint.
Antivirus.
Antivirus functions protect computers from viruses, worms, and trojans. We use virus here as a general term to also represent the other two types of such attack phenomena. Antivirus typically acts primarily by scanning files and comparing them against a database describing signatures of known viruses and against sets of characteristics that tend to reflect behaviors of unknown viruses. Files can be scanned at desired times computer-wide or upon actions such as opening, closing, or loading for execution. In addition, this function may also scan the traversing traffic stream. The traffic streams—such as email, web, file transfers, etc.—can contain viruses that may not exist in the form of a file during attempted attacks. Antivirus functions are well known in the art.
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).
IDS utilizes a sensor or sensors to detect and alarm intrusion attempts, and the IPS function appropriately prevents the intrusion process from continuing.
Application Firewall.
An application firewall is typically placed as a standalone apparatus before a server to “learn” the protected application. It intercepts and analyzes all incoming and outgoing application-layer traffic, and profiles the content and flow patterns of the application. It may also simultaneously build or modify protection policies. These policies may also be manually adjusted to fit user requirements to provide desired protection behaviors against deviation from normal application behavior.
Application Proxy.
Application proxy functions in general exist in two forms: a forward proxy or a reverse proxy. A reverse proxy coordinates between external clients entering a server, for example a web server within a private network. The role of a reverse proxy is to provide a degree of isolation between the server within a private network and external clients, thus securing the server and enabling appropriate control over the way the application is presented to the clients. A forward proxy, on the other hand, is targeted at offloading real-time traffic between the private network and the Internet, by caching client requests and responses, etc. The forward proxy may also provide isolation between a private network and the Internet. The application proxy thoroughly examines the content of each traffic stream before the traffic stream enters or leaves an application proxy apparatus to determine whether the stream conforms to pre-specified security policy, and whether to allow or deny passage through that apparatus.
Application Filtering.
Application Filtering filters communications associated with applications that typically have been deemed to pose security or productivity threats. Examples of such applications that may facilitate intrusion attempts are Peer-to-Peer file sharing applications such as KaZaa, instant messenger applications such as AOL, and Yahoo! Messengers, and adware and spyware components.
Content Filtering.
Content Filtering is a function that filters for example URLs and SPAMs, to make efficient use of network and human resources and to balance employee work-related Internet use and surfing.
Immunization Functions
This group includes functions for proactively providing computing systems immunity to known or unknown attacks. Deployment of immunization functions can be agent-based, where an agent software module is installed in each endpoint computing system, or agentless, where no agent software is required. Various implementations of these functions are well known in the art. Brief descriptions of several immunization functions are provided in the following.
Patch Management.
Patch management includes processes and tools for managing the deployment and maintenance of software and updates. With the increasing number of patches, service packs, and vulnerability updates from operating system and application vendors, keeping them organized, informed, and up to date is a tedious and ongoing task.
Configuration Management.
Configuration management helps to monitor a computing system's current configuration and record configuration changes. It strengthens security assurance by enforcing configuration conforming to defined policy.
Policy Compliance and Enforcement.
This function typically determines out-of-compliance policy security settings based on standardized policy templates and enforces policies to bring computing systems back into compliance, thereby proactively mitigating system vulnerabilities.
Vulnerability Scanning.
The goal of running a vulnerability scanner is to identify endpoints that are open to known vulnerabilities. Vulnerability scanning functions typically check vulnerabilities in various categories, such as password integrity, file attributes, system configuration, network settings, etc.
Sensitive Data Management.
This function ensures information is used as intended based on policies assigned to users. It manages who can access sensitive information and how the sensitive information can be used, such as print, copy, paste, etc.
Asset Management.
This function is a process used for collecting computing system asset data, such as hardware and software version, license and cost information, how often they are used, trouble records, etc. This data can be used in evaluating security concerns, total cost of ownership, depreciation, licensing, and maintenance.
Password Management.
This function pertains to password and user ID administration for a part or all of the users within an enterprise. It involves the management of password and user ID issuing, changing, renewing, resetting, terminating, automation, etc.
Observations on Deployment in Enterprise Security Solutions
Background observations will be provided now on aspects of deployment of defense functions and immunization functions in enterprise networks.
Conventionally, the deployment of defense functions in enterprise networks can be network-based or host-based, or both. The host-based deployment requires multiple defense function software modules to be installed in each host. The deployment of immunization functions is generally host-based and requires an agent to be installed in each host for each supported immunization function.
Consequently, a deployed security infrastructure consisting of multiple defense and immunization functions may burden the host with multiple defense function software and a number of agents for supporting the corresponding immunization functions. This situation may create software conflict and registry corruption issues in the host and cause end-user productivity loss and unnecessary IT labor cost for testing and validation, which may be exacerbated as the software upgrade/patch incidences for security functions and operating system increase.
It may also create issues such as performance degradation and security vulnerability where security functions may be disabled by malware or human carelessness.
In addition, the aforementioned multiple defense and immunization functions are managed by multiple vendors' management systems. The resulting heterogeneous environment gives rise to duplicated processes and technical and management complexity, leading to high total-cost-of-ownership (TCO) and low return-on-investment (ROI).
FIG. 1A depicts an example of conventional deployment of security infrastructure supporting security management and endpoint protection. In this deployment, blocks 151-155 are examples of defense-function vendors' security management systems, blocks 161-165 are examples of immunization-function vendors' security management systems, and blocks 171-175 are examples of other types of security management systems. The connecting network 121 may be of a private network or public network, or both. The endpoint 102 comprises a network interface card (NIC) 180, a host 181, and other circuitry well known. A collection of defense function and/or immunization agent software modules are downloaded individually from aforementioned various vendors' security management systems and executed in the host 181 along with other non-security programs such as banking, healthcare, insurance, or any other user applications. Execution of security function software modules in host 181 often creates issues such as software conflict, disablement by malware or accident, registry corruption, reduced computer performance, etc. In addition, multiple management systems are often deployed to manage the multiple security functions in an endpoint, creating further operating complexity as the number, type, application, and location of the endpoints increase. Consequently, high operating cost and productivity loss are often major issues for the security infrastructure. To alleviate some of the problems, some defense functions such as cryptography, firewall, and antivirus have been implemented in the NIC 180 hardware and installed with a vendor's own proprietary software or a vendor-dependent software from a third-party vendor, but the benefits are limited, solution cost is high and security service distribution and management remain excessively complex and burdensome.
Observations on Security Services for Residential Internet Users
Background observations will now be provided related to acquiring adequate security services for residential Internet users.
The vast majorities of residential internet users generally do not have sufficient knowledge on computer security, and thus are unlikely to have adequate security protection. Another observation is that the user may experience disruptions that require retries and/or reboots during a security function download, and computer behavior changes after the download. Another observation is that it is generally costly to acquire an adequate number of defense and immunization functions.
Background observations will now be provided related to residential Internet user subscription and billing methods for security services.
One practical aspect of security for the residential user is the need to subscribe to and pay for multiple security services. Billing and user payments are largely handled via separate subscriptions, separate bills, and separate payment processes.
Another observation is that numerous security vendors in the marketplace are available to provide various solutions to counter various security threats. These vendors desire exposure to potential markets. Users desire exposure to information about available security products that may be subscribed to or otherwise obtained. Despite the existence of information sources on the Internet and elsewhere, the necessary processes of identifying desirable vendors and products are inconvenient and often time consuming.
Observations on Password Management
Background observation will now be provided related to password administration.
Password management is integral to overall endpoint security, and is associated with many unmet needs, both for residential users and especially for enterprise endpoint users and IT managers. It is difficult for end users to remember numerous and periodically changing sets of passwords/user IDs, and so end users oftentimes choose not to conform to security policy or practice and instead, for example, write passwords/user IDs information down on a post-on or into a computer file. For end users who do conform to good security practice, may forget their passwords and/or user IDs, and they must typically call a helpdesk and request a password reset in order to re-enter applications, or they must via other means obtain a new password/user ID pair. This process reduces end user productivity and adds an extra load and cost to already-burdened helpdesk.